Subscribe To Secure Home Networks

Tuesday, November 11, 2008

In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (http://blog.fireeye.com/research/2008/11/the-case-against-url-blacklists.html), and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) (http://malwaredomains.com/). This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.

The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.